From 39f572cc73d3ffe6d6647260ec1bc57215e89b75 Mon Sep 17 00:00:00 2001
From: Oscar Salvador <osalvador@suse.de>
Date: Mar 13 2023 05:38:16 +0000
Subject: Merge remote-tracking branch 'origin/users/mfranc/cve/linux-5.3/for-next' into cve/linux-5.3


Pull tap fixes from Miroslav Franc

---

diff --git a/patches.suse/net-add-sock_init_data_uid.patch b/patches.suse/net-add-sock_init_data_uid.patch
new file mode 100644
index 0000000..183d996
--- /dev/null
+++ b/patches.suse/net-add-sock_init_data_uid.patch
@@ -0,0 +1,84 @@
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+Date: Sat, 4 Feb 2023 17:39:20 +0000
+Subject: net: add sock_init_data_uid()
+Git-commit: 584f3742890e966d2f0a1f3c418c9ead70b2d99e
+Patch-mainline: v6.3-rc1
+References: CVE-2023-1076 bsc#1208599
+
+Add sock_init_data_uid() to explicitly initialize the socket uid.
+To initialise the socket uid, sock_init_data() assumes a the struct
+socket* sock is always embedded in a struct socket_alloc, used to
+access the corresponding inode uid. This may not be true.
+Examples are sockets created in tun_chr_open() and tap_open().
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Miroslav Franc <mfranc@suse.cz>
+---
+ include/net/sock.h |  7 ++++++-
+ net/core/sock.c    | 15 ++++++++++++---
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/include/net/sock.h b/include/net/sock.h
+index 22d50dabdc9d..da758f2273e4 100644
+--- a/include/net/sock.h
++++ b/include/net/sock.h
+@@ -1739,7 +1739,12 @@ void sk_common_release(struct sock *sk);
+  *	Default socket callbacks and setup code
+  */
+ 
+-/* Initialise core socket variables */
++/* Initialise core socket variables using an explicit uid. */
++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid);
++
++/* Initialise core socket variables.
++ * Assumes struct socket *sock is embedded in a struct socket_alloc.
++ */
+ void sock_init_data(struct socket *sock, struct sock *sk);
+ 
+ /*
+diff --git a/net/core/sock.c b/net/core/sock.c
+index 652913df588d..28382b23afe2 100644
+--- a/net/core/sock.c
++++ b/net/core/sock.c
+@@ -2878,7 +2878,7 @@ void sk_stop_timer(struct sock *sk, struct timer_list* timer)
+ }
+ EXPORT_SYMBOL(sk_stop_timer);
+ 
+-void sock_init_data(struct socket *sock, struct sock *sk)
++void sock_init_data_uid(struct socket *sock, struct sock *sk, kuid_t uid)
+ {
+ 	sk_init_common(sk);
+ 	sk->sk_send_head	=	NULL;
+@@ -2897,11 +2897,10 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+ 		sk->sk_type	=	sock->type;
+ 		RCU_INIT_POINTER(sk->sk_wq, &sock->wq);
+ 		sock->sk	=	sk;
+-		sk->sk_uid	=	SOCK_INODE(sock)->i_uid;
+ 	} else {
+ 		RCU_INIT_POINTER(sk->sk_wq, NULL);
+-		sk->sk_uid	=	make_kuid(sock_net(sk)->user_ns, 0);
+ 	}
++	sk->sk_uid	=	uid;
+ 
+ 	rwlock_init(&sk->sk_callback_lock);
+ 	if (sk->sk_kern_sock)
+@@ -2959,6 +2958,16 @@ void sock_init_data(struct socket *sock, struct sock *sk)
+ 	refcount_set(&sk->sk_refcnt, 1);
+ 	atomic_set(&sk->sk_drops, 0);
+ }
++EXPORT_SYMBOL(sock_init_data_uid);
++
++void sock_init_data(struct socket *sock, struct sock *sk)
++{
++	kuid_t uid = sock ?
++		SOCK_INODE(sock)->i_uid :
++		make_kuid(sock_net(sk)->user_ns, 0);
++
++	sock_init_data_uid(sock, sk, uid);
++}
+ EXPORT_SYMBOL(sock_init_data);
+ 
+ void lock_sock_nested(struct sock *sk, int subclass)
diff --git a/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
new file mode 100644
index 0000000..d6131f5
--- /dev/null
+++ b/patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
@@ -0,0 +1,46 @@
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 9 Aug 2022 18:34:02 +0200
+Subject: netfilter: nf_tables: fix null deref due to zeroed list head
+Git-commit: 580077855a40741cf511766129702d97ff02f4d9
+Patch-mainline: v6.0-rc1
+References: CVE-2023-1095 bsc#1208777
+
+In nf_tables_updtable, if nf_tables_table_enable returns an error,
+nft_trans_destroy is called to free the transaction object.
+
+nft_trans_destroy() calls list_del(), but the transaction was never
+placed on a list -- the list head is all zeroes, this results in
+a null dereference:
+
+BUG: KASAN: null-ptr-deref in nft_trans_destroy+0x26/0x59
+Call Trace:
+ nft_trans_destroy+0x26/0x59
+ nf_tables_newtable+0x4bc/0x9bc
+ [..]
+
+Its sane to assume that nft_trans_destroy() can be called
+on the transaction object returned by nft_trans_alloc(), so
+make sure the list head is initialised.
+
+Fixes: 55dd6f93076b ("netfilter: nf_tables: use new transaction infrastructure to handle table")
+Reported-by: mingi cho <mgcho.minic@gmail.com>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: Miroslav Franc <mfranc@suse.cz>
+---
+ net/netfilter/nf_tables_api.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
+index 460b0925ea60..3cc88998b879 100644
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
+ 	if (trans == NULL)
+ 		return NULL;
+ 
++	INIT_LIST_HEAD(&trans->list);
+ 	trans->msg_type = msg_type;
+ 	trans->ctx	= *ctx;
+ 
+
diff --git a/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch
new file mode 100644
index 0000000..51470f8
--- /dev/null
+++ b/patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch
@@ -0,0 +1,43 @@
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+Date: Sat, 4 Feb 2023 17:39:22 +0000
+Subject: tap: tap_open(): correctly initialize socket uid
+Git-commit: 66b2c338adce580dfce2199591e65e2bab889cff
+Patch-mainline: v6.3-rc1
+References: CVE-2023-1076 bsc#1208599
+
+sock_init_data() assumes that the `struct socket` passed in input is
+contained in a `struct socket_alloc` allocated with sock_alloc().
+However, tap_open() passes a `struct socket` embedded in a `struct
+tap_queue` allocated with sk_alloc().
+This causes a type confusion when issuing a container_of() with
+SOCK_INODE() in sock_init_data() which results in assigning a wrong
+sk_uid to the `struct sock` in input.
+On default configuration, the type confused field overlaps with
+padding bytes between `int vnet_hdr_sz` and `struct tap_dev __rcu
+*tap` in `struct tap_queue`, which makes the uid of all tap sockets 0,
+i.e., the root one.
+Fix the assignment by using sock_init_data_uid().
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Miroslav Franc <mfranc@suse.cz>
+---
+ drivers/net/tap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/tap.c b/drivers/net/tap.c
+index a2be1994b389..8941aa199ea3 100644
+--- a/drivers/net/tap.c
++++ b/drivers/net/tap.c
+@@ -533,7 +533,7 @@ static int tap_open(struct inode *inode, struct file *file)
+ 	q->sock.state = SS_CONNECTED;
+ 	q->sock.file = file;
+ 	q->sock.ops = &tap_socket_ops;
+-	sock_init_data(&q->sock, &q->sk);
++	sock_init_data_uid(&q->sock, &q->sk, inode->i_uid);
+ 	q->sk.sk_write_space = tap_sock_write_space;
+ 	q->sk.sk_destruct = tap_sock_destruct;
+ 	q->flags = IFF_VNET_HDR | IFF_NO_PI | IFF_TAP;
+
diff --git a/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch
new file mode 100644
index 0000000..ebeadfe
--- /dev/null
+++ b/patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch
@@ -0,0 +1,43 @@
+From: Pietro Borrello <borrello@diag.uniroma1.it>
+Date: Sat, 4 Feb 2023 17:39:21 +0000
+Subject: tun: tun_chr_open(): correctly initialize socket uid
+Git-commit: a096ccca6e503a5c575717ff8a36ace27510ab0a
+Patch-mainline: v6.3-rc1
+References: CVE-2023-1076 bsc#1208599
+
+sock_init_data() assumes that the `struct socket` passed in input is
+contained in a `struct socket_alloc` allocated with sock_alloc().
+However, tun_chr_open() passes a `struct socket` embedded in a `struct
+tun_file` allocated with sk_alloc().
+This causes a type confusion when issuing a container_of() with
+SOCK_INODE() in sock_init_data() which results in assigning a wrong
+sk_uid to the `struct sock` in input.
+On default configuration, the type confused field overlaps with the
+high 4 bytes of `struct tun_struct __rcu *tun` of `struct tun_file`,
+NULL at the time of call, which makes the uid of all tun sockets 0,
+i.e., the root one.
+Fix the assignment by using sock_init_data_uid().
+
+Fixes: 86741ec25462 ("net: core: Add a UID field to struct sock.")
+Signed-off-by: Pietro Borrello <borrello@diag.uniroma1.it>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Miroslav Franc <mfranc@suse.cz>
+---
+ drivers/net/tun.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/tun.c b/drivers/net/tun.c
+index a7d17c680f4a..745131b2d6db 100644
+--- a/drivers/net/tun.c
++++ b/drivers/net/tun.c
+@@ -3448,7 +3448,7 @@ static int tun_chr_open(struct inode *inode, struct file * file)
+ 	tfile->socket.file = file;
+ 	tfile->socket.ops = &tun_socket_ops;
+ 
+-	sock_init_data(&tfile->socket, &tfile->sk);
++	sock_init_data_uid(&tfile->socket, &tfile->sk, inode->i_uid);
+ 
+ 	tfile->sk.sk_write_space = tun_sock_write_space;
+ 	tfile->sk.sk_sndbuf = INT_MAX;
+
diff --git a/series.conf b/series.conf
index ab95bb5..a2fa010 100644
--- a/series.conf
+++ b/series.conf
@@ -22992,6 +22992,7 @@
 	patches.suse/atm-idt77252-fix-use-after-free-bugs-caused-by-tst_t.patch
 	patches.suse/netfilter-nf_tables-do-not-allow-SET_ID-to-refer-to-.patch
 	patches.suse/netfilter-nf_tables-do-not-allow-RULE_ID-to-refer-to.patch
+	patches.suse/netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch
 	patches.suse/vsock-Fix-memory-leak-in-vsock_connect.patch
 	patches.suse/devlink-Fix-use-after-free-after-a-failed-reload.patch
 	patches.suse/net_sched-cls_route-remove-from-list-when-handle-is-.patch
@@ -23065,6 +23066,9 @@
 	patches.suse/HID-check-empty-report_list-in-bigben_probe.patch
 	patches.suse/HID-betop-check-shape-of-output-reports.patch
 	patches.suse/net-mpls-fix-stale-pointer-if-allocation-fails-durin.patch
+	patches.suse/net-add-sock_init_data_uid.patch
+	patches.suse/tun-tun_chr_open-correctly-initialize-socket-uid.patch
+	patches.suse/tap-tap_open-correctly-initialize-socket-uid.patch
 	patches.suse/media-rc-Fix-use-after-free-bugs-caused-by-ene_tx_ir.patch
 
 	# netdev/net